[ISN] Clarke Solicits Cyber-Security Input at MIT

From: InfoSec News (isnat_private)
Date: Thu Oct 17 2002 - 22:51:09 PDT

  • Next message: InfoSec News: "Re: [ISN] Spam Masquerades as Admin Alerts"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.eweek.com/article2/0,3959,639096,00.asp
    
    By Dennis Fisher 
    October 17, 2002 
    
    CAMBRIDGE, Mass. - If Wednesday night's town hall meeting here was any
    indication, Richard Clarke is getting just what he asked for.
    
    After releasing a draft of the National Strategy to Secure Cyberspace
    for comment in September, Clarke has embarked on a cross-country tour,
    soliciting feedback on the document and stumping for passage of the
    bill that would create the Department of Homeland Security. During his
    most recent stop, at the Massachusetts Institute of Technology,
    audience members gave Clarke a wide range of suggestions for the
    strategy, with many of them centering on the theme of vendor
    responsibility for insecure software.
    
    Many people asked Clarke, chairman of the President's Critical 
    Infrastructure Protection Baord, to consider recommending some form of 
    regulation for the software industry as a way to spur vendors into 
    writing more secure applications. Clarke resisted the idea, as he has 
    in the past, saying that he'd rather rely on market forces and 
    customer demand to weed out the careless vendors. 
    
    One area where Clarke agreed that new legislation might be in order is 
    security research. One audience member complained that the Digital 
    Millennium Copyright Act and anti-hacking laws are preventing 
    legitimate security researchers from publishing information on new 
    vulnerabilities. 
    
    "You're basically letting them bully us into keeping vulnerabilities 
    secret," the questioner said. "Shouldn't there be some legislation on 
    this?" 
    
    "Personally, I think the answer to that is yes," Clarke responded. "We 
    need to have everyone in this country who's an IT expert looking for 
    vulnerabilities." 
    
    Jeff Schiller, the event moderator, had another suggestion. 
    
    "We also need vendors who when they put out critical security fixes 
    don't attach a new license agreement," said Schiller, MIT's network 
    manager and head of the Internet Engineering Task Force's security 
    section. The comment, which refers to an agreement that Microsoft 
    Corp. included with a service pack it released earlier this year, drew 
    a big round of applause from the audience. 
    
    In response to several comments about the apathy that many big 
    software vendors show toward security issues, Clarke urged customers 
    and researchers to bring their concerns to him if they aren't 
    satisfied with the vendor's answer. He also pointed a finger at the 
    software makers for not making smart choices in configuring their 
    products. 
    
    "People have been shipping software with totally needless, stupid 
    functionality turned on," he said. 
    
    Clarke, who served on the National Security Council during the Clinton 
    administration, likened the current attitude toward security to the 
    way some Washington officials used to feel about the potential for 
    terrorism in the United States: it will never happen to us. 
    
    "Somebody, someday is going to hurt our economy if we don't start 
    dealing with our vulnerabilities," said Clarke. 
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 01:30:11 PDT